[SLING-1762] Improve security of form auth handler cookies - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: Form Based Authentication 1.0.0
Fix Version/s: Form Based Authentication 1.0.2
Component/s: Authentication
Labels:
None

Description

There is a nice feature of Cookie support in browsers today, which prevents cookies from being accessed in client side Javascript: "HttpOnly". This makes using cookies almost as save as HTTP Basic Authentication from the POV of accessing the data from client-side JavaScript.

The cookie(s) produced by the Form Authentication Handler should be protected using this attribute.

The drawback is, that the Set-Cookie response header must be created manually because the Servlet API Cookie class up to and including 2.5 does not support setting this attribute (Servlet API 3.0 Cookie supports it, but we don't support Servlet API 3.0)

See http://www.owasp.org/index.php/HttpOnly for full details and http://www.browserscope.org/?category=security for up to date browser support information.

Attachments

Activity

People

Assignee:: Felix Meschberger

Reporter:: Felix Meschberger

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 11/Sep/10 14:30

Updated:: 20/Dec/10 14:54

Resolved:: 13/Sep/10 14:09